It's me again... Sorry. Every thing that has been instructed (IE route map and such) is working great!... Before I implement this, Can someone confirm for me the answer to this question...
As stated in a previous thread, I have one 3725 router and 2 firewalls (checkpoint and sonicwall). I want all general users to be sent to the checkpoint T1 for internet and only privileged users to be sent to the Sonicwall Bonded T1 for internet... Thanks to the help of Jon and Laurent, I have the route maps working great to delineate this traffic as stated before...
My question is regarding static routes... I have an ACL that specifies the host ip address authorized for using the sonicwall connection and a next hop associating that ip with the sonicwall firewall. The issue is with regard to the checkpoint being the internet connection that all of our VPN tunnels terminate to. So I plan on using static routes to force all traffic that is destined for those subnets, even if they are a privileged user that the router forwards out the sonicwall, to be redirected out the checkpoint... Will static routes intervene in the route map association? in other words, with a privileged user, whose ip address is set in the ACL on the router to go only to the sonicwall for internet be redirected to the checkpoint if he/she is trying to access a subnet that static route routes?
PBR will take precedence over a static route so your Sonicwall users will be sent to the Sonicwall for everything.
What you can do is add denies in the acl for the remote VPN tunnels so lets say the remote subnets for the VPN's are
and the people who access the sonicwall for internet connection are 192.168.5.0/24
access-list 101 deny ip 192.168.5.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 101 deny ip 192.168.5.0 0.0.0.255 172.16.6.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
Any traffic matching one of the deny lines in acl 101 will bypass PBR and use the routers routing table which is what you want.
Note - access-list 101 is the access-list you are using in your route-map for Sonicwall users.
You have to put the denies before the permit or it won't work.
You will obviously need to edit for your environment in terms of source IP addresses and destination VPN subnets.